The Cyber Security Research and Development Act is one of four bills in the U.S. House and Senate which could potentially double or triple the funding to the NIST's (National Institute for Standards and Technology) Computer Security Division. Although corporate opinion is mostly in favor of the NIST's functions, there is concern that any new certification processes implemented by NIST could actually slow development of new network security products and make them too expensive for corporate buyers. Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance (BSA), maintains that although NIST is an excellent place for creating security standards, it would not be practical for the Institute to begin creating product standards. Correa believes that the NIST should create a floor, not a ceiling, for network security products.

NIST is an arm of the U.S. Commerce Department, and selects cryptography standards, reviewing security standards of the products purchased by the government. Because of this, vendors say that any new product standards could have a ripple effect on the industry because of the requirements they would place on programs and services purchased by the government. In other words, it would become helpful for vendors of security products to adhere to the NIST certifications even for their commercial products.

Since the attacks, NIST has turned up the intensity, working with the NSA to create targets for additional classes of network security products, such as operating systems, VPNs, and smart cards. Although NIST is praised for its ability to create cryptography standards, Steve Bellovin, a computer security expert with AT&T Labs and one of the directors of the Internet Engineering Task Force's Security Area, states that NIST doesn't have a good track record for developing broader-reaching security standards. Bellovin also states that there are two problems with security systems, architectural problems and buggy program code, and asserts that it is not known how to fix the architectural issues.

RON'S OPINION
I'm not sure, based on information in this news item, that Bellovin can say that he and his colleagues don't know how to fix the architectural flaws in security products. Although this article addresses flaws found in eBusiness applications, how many times have I written about vulnerabilities such as buffer overflows in products like IIS and zlib?

Far be it from me to say that problems like this will be easy to fix (finding and fixing code in large, well-established programs will prove to be boring and tedious), but sooner or later people are going to have to face the music and admit that the buffer overflow, for example, is a basic programming flaw that could affect the very core of the application in which it resides. I realize this is a programming “error,” but:

(This is a direct quote from our previous item.) What this means to me is that programming and architectural problems go hand in hand, and to say that you don't know how to fix architectural problems is more than a little misleading.

On the NIST front, I, too, am more than a little concerned about the government taking a bigger handful of our information security standards. However, I have yet to see the private sector step to the plate and consistently deliver reasonably secure products, something that the government is fortunately looking for.

What's the answer? I believe that finding out what's not the answer is a step in the right direction, but if you've got hundreds of people standing around saying, “That's not the right answer” to everyone who comes up with a plan, nothing gets done. Fact is, the 5 design guidelines outlined in the quote above are essential to good security products. That has to be our starting place.

Big Government Destroys What it Touches(2:49pm EST Wed Apr 24 2002)Free markets and free minds have given us the P.C., the Palm, the Windows OS, and the Logitech Trackman Marble. All of which I saw being used on the USS Stenis Aircraft Carrier to manage attacks on Al-Queda.

Such crazy, dynamic, swift, beautiful free market systems exist because of a marketplace with minimal govt interference. As a result the USA and it's govt can reap the rewards. - by Hulkamaniac

let government fix government problems(3:15pm EST Wed Apr 24 2002)If government wants secure systems for government, the private sector is happy to oblige, especially since Uncle Sam is usually pretty generous with paychecks to politically well connected developers.

Anybody else that wants secure products can pay to fund them or find something already out there that may fit their needs for free.